Manual Chapter : Common Elements for IPsec security association tasks

Applies To:

Show Versions Show Versions

BIG-IP AFM

  • 15.0.0, 14.1.0

BIG-IP ASM

  • 15.0.0, 14.1.0

BIG-IP AAM

  • 15.0.0, 14.1.0

BIG-IP APM

  • 15.0.0, 14.1.0

BIG-IP LTM

  • 15.0.0, 14.1.0
Manual Chapter

Common Elements for IPsec security association tasks

Before starting this task, determine the source and destination IP addresses for the BIG-IP systems in your network that will direct the application traffic.
You create a manual security association to specify the security attributes for a given IPsec communication session. These attributes include the specific source and destination IP addresses of the communicating devices, the authentication algorithm, and the encryption algorithm that the IPsec protocol should use.
You must perform this task on both BIG-IP systems.
  1. On the Main tab, click
    Network
    IPsec
    Manual Security Associations
    .
  2. Click the
    Create
    button.
    The New Security Association screen opens.
  3. In the
    Name
    field, type a unique name for the security association.
  4. In the
    Description
    field, type a brief description of the security setting.
  5. In the
    SPI
    field, type a unique number for the security parameter index.
    This number must be an integer between 256 and 4294967296.
  6. From the
    IPsec Protocol
    list, select a protocol.
    You can select
    AH
    ,
    Bundle
    , or
    ESP
    .
  7. In the
    Source Address
    field, type the source IP address.
    This IP address must match the IP address specified for the
    Tunnel Local Address
    in the selected IPsec policy.
  8. In the
    Destination Address
    field, type the IP address in CIDR format.
    The supported format is address/prefix, where the prefix length is in bits. For example, an IPv4 address/prefix is
    10.0.0.1
    or
    10.0.0.0/24
    , and an IPv6 address/prefix is
    ffe1::0020/64
    or
    2001:ed8:77b5:2:10:10:100:42/64
    . When you use an IPv4 address without specifying a prefix, the BIG-IP system automatically uses a
    /32
    prefix.
    This IP address must match the IP address specified for the
    Tunnel Remote Address
    in the selected IPsec policy.
  9. From the
    Authentication Algorithm
    list, select an algorithm.
    You can select
    HMAC MD5
    or
    HMAC SHA-1
    .
  10. From the
    Encryption Algorithm
    list, select the algorithm appropriate to your deployment.
  11. In the
    Authentication Key
    field, type a key value.
    This value can by any double-quoted character string up to a maximum of 128 characters
  12. In the
    Encryption Key
    field, type a key value.
    This value can by any double-quoted character string up to a maximum of 128 characters
  13. For the
    IPsec Policy Name
    setting, retain the default selection,
    default_ipsec_policy
    .
  14. From the
    IPsec Policy Name
    list, select an IPsec policy.
    • For the outbound security association, select the IPsec policy you created for outbound traffic.
    • For the inbound security association, select the IPsec policy you created for inbound traffic.
  15. For the
    IPsec Policy Name
    setting, select the IPsec policy you previously created for inbound traffic.
  16. For the
    IPsec Policy Name
    setting, select the IPsec policy you previously created for outbound traffic.
  17. Click
    Finished
    .
    The screen refreshes and displays the new IPsec security association in the list.
  18. Repeat this task on the BIG-IP system in the remote location.
  19. Repeat this task for security associations that handle outbound and inbound traffic on both the local and remote BIG-IP systems.
You now have an IPsec security association that you have assigned to an IPsec policy.